Recently, the Shmoo Group discovered that Firefox is vulnerable
to precisely the exploit that i predicted in my 2002 paper [1] on
Secure Interaction Design (and i'm sure many others predicted it
years before that): its support for Internationalized Domain Names
includes displaying a Unicode domain name in the location bar,
thereby allowing domains to indistinguishably spoof other domains.
http://shmoo.com/idn/
In their example, the domain "www.p\u0430ypal.com" spoofs
"www.paypal.com". The "\u0430" character (encoded in HTML as
&#1072;) is a lowercase Cyrillic "a", which looks exactly the
same as the Latin small letter "a".
The domain name system supports these Unicode domains by encoding
them into standard domain names -- in this case the actual domain
accessed is www.xn--pypal-4ve.com, but Firefox displays it as
"www.paypal.com". This works EVEN IF HTTPS IS USED.
If you type "www.xn--paypal-4ve.com" into the location bar, then
the domain displays as "www.xn--paypal-4ve.com". If you click
on the link containing the Cyrillic "a", the domain displays as
"www.paypal.com" even though you are looking at exactly the same
site. So Firefox actually violates the principle of identifiability
in both directions -- it makes different domains look the same,
and also makes the same domains look different.
Unfortunately, so far the response to this announcement has only
been "Oh well. Too bad!" No one can see any other way to make
IDNs work. The only solution is to turn off IDNs altogether.
Pet names would be a good step toward a solution of this problem.
However, i'm inclined to think that Unicode domain names are just
inherently insecure and should not be used. Even if users learn
to identify sites with pet names, they are still vulnerable to
confusion if they look at the location bar, read the name there,
and type it into the location bar later.
What do you think of this problem?
-- ?!ng
[1] http://zesty.ca/sid